Feature Changes
~~~~~~~~~~~~~~~
-- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
- NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
- or the SOA TTL. :gl:`#2347`
+- DNSSEC responses containing NSEC3 records with iteration counts
+ greater than 150 are now treated as insecure. :gl:`#2445`
- The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. :gl:`#2642`
-- DNSSEC responses containing NSEC3 records with iteration counts
- greater than 150 are now treated as insecure. :gl:`#2445`
+- The default value of the ``max-ixfr-ratio`` option was changed to
+ ``unlimited``, for better backwards compatibility in the stable
+ release series. :gl:`#2671`
- Zones that want to transition from secure to insecure mode without
becoming bogus in the process must now have their ``dnssec-policy``
``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
records to be published. :gl:`#2645`
-- The default value of the ``max-ixfr-ratio`` option was changed to
- ``unlimited``, for better backwards compatibility in the stable
- release series. :gl:`#2671`
+- The implementation of the ZONEMD RR type has been updated to match
+ :rfc:`8976`. :gl:`#2658`
+
+- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
+ NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
+ or the SOA TTL. :gl:`#2347`
Bug Fixes
~~~~~~~~~
+- It was possible for corrupt journal files generated by an earlier
+ version of ``named`` to cause problems after an upgrade. This has been
+ fixed. :gl:`#2670`
+
- TTL values in cache dumps were reported incorrectly when
``stale-cache-enable`` was set to ``yes``. This has been fixed.
:gl:`#389` :gl:`#2289`
-- When generating zone signing keys, KASP now also checks for key ID
- conflicts among newly created keys, rather than just between new and
- existing ones. :gl:`#2628`
-
-- The implementation of the ZONEMD RR type has been updated to match
- :rfc:`8976`. :gl:`#2658`
+- ``named`` and ``named-checkconf`` did not report an error when
+ multiple zones with the ``dnssec-policy`` option set were using the
+ same zone file. This has been fixed. :gl:`#2603`
-- If ``dnssec-policy`` was active and the private key file was
- temporarily offline during a rekey event, ``named`` could introduce
+- If ``dnssec-policy`` was active and a private key file was temporarily
+ offline during a rekey event, ``named`` could incorrectly introduce
replacement keys and break a signed zone. This has been fixed.
:gl:`#2596`
-- It was possible for corrupt journal files generated by an earlier
- version of ``named`` to cause problems after an upgrade. This has been
- fixed. :gl:`#2670`
-
-- ``named`` and ``named-checkconf`` did not report an error when
- multiple zones with the ``dnssec-policy`` option set were using the
- same zone file. This has been fixed. :gl:`#2603`
+- When generating zone signing keys, KASP now also checks for key ID
+ conflicts among newly created keys, rather than just between new and
+ existing ones. :gl:`#2628`
projects / thirdparty / bind9.git / commitdiff
